Appendix
Security
Issues with no security advisories
2002-01 SQL poisoning vulnerability in Mantis
2002-03 Bug listings of private projects can be viewed
2002-04 Arbitrary code execution vulnerability in Mantis
2002-05 Arbitrary code execution and file reading
2002-06 Private bugs accessible in Mantis
2002-07 Bugs in private projects listed on 'View Bugs'
2004-01 Various vulnerabilities in Mantis
Partner Links
|
2002-02 Limiting output to reporters can be bypassed Last Modified: December 23, 2006 04:12AM |
| (Mantis 0.16.0 till 0.17.3) |
|
Description
0. Table of Contents 1. Introduction 2. Summary / Impact analysis 3. Affected versions 4. Workaround / Solution 5. Proof of Vulnerability 6. Contact details 1. Introduction Mantis is an Open Source web-based bugtracking system, written in PHP, which uses the MySQL database server. It is being actively developed by a small group of developers, and is considered to be in the beta stage. 2. Summary / Impact analysis It is possible to instruct Mantis to show reporters only the bugs that they reported, by setting the limit_reporters option to ON. This will automatically set the 'reporter' filter on the 'View Bugs' page. The information on the 'View Bugs' page was also available in a form suitable for printing, by clicking on the 'Print Reports' link on the 'View Bugs' page. However this script, print_all_bug_page.php, did not check the limit_reporters option and thus allowed reporters to see the summaries of bugs they did not report. This has been fixed in Mantis 0.17.4. 3. Affected versions The following versions are known to be affected: Mantis 0.17.3 Mantis 0.17.2 Mantis 0.17.1 Mantis 0.17.0 Mantis 0.16.1 Mantis 0.16.0 The following versions are known to be unaffected: Mantis 0.17.4a Mantis 0.17.4 Any version below Mantis 0.16.0 (*) * = The 'Print reports' feature did not exist in those versions. 4. Workaround / Solution Mantis 0.17.4 adds the appropriate permission checks to the 'Print Reports' page. All users are recommended to upgrade to this version as soon as possible. If upgrade is not an option, print_all_bug_page.php can be patched to close this vulnerability. The following instructions apply to Mantis 0.17.3, and could apply to earlier versions: In print_all_bug_page.php, after the block of assignments from $t_setting_arr, insert the following lines:
# Limit reporters to only see their reported bugs
if (( ON == $g_limit_reporters ) &&
( !access_level_check_greater_or_equal( UPDATER ) )) {
$f_user_id = get_current_user_field( "id" );
}
5. Proof of Vulnerability No trickery is required to allow a reporter to see the summaries of bugs that (s)he did not report. The reporter just has to go to 'View Bugs', click on 'Print Reports' and make sure the 'reporter' filter is set to anything but his/her own name. 6. Contact details The latest version of Mantis is always available from: http://www.mantisbt.org/ The current version is 1.0.6, which can be downloaded from http://www.mantisbt.org/download.php If you have any questions about this vulnerability, or wish to report another, you can contact report it as a private issue on: http://www.mantisbt.org/bugs/ The latest version of this and other advisories can be found at: http://www.mantisbt.org/manual/ |
| User Contributed Notes 2002-02 Limiting output to reporters can be bypassed |
|
||
| There are no user contributed notes for this page. | |||
| |||